版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
Accelerateyourjourneytozerotrustwithzerotrustorchestration
Howtoorchestratesecure,reducedfrictionuser
journeyswithinaZeroTrustFramework
Customer-facingapplications
Forexample:
•Onlineretailwebsites
•Onlineandmobilebankingapps
•Customerportals
•Customersareexposedtoaccounttakeoversandidentitytheft
•Fraudandscamsleadtofinanciallossesandreputationaldamage
•Databreachesresultin
dataprivacyviolationsandregulatorypenalties
•Ransomwareattacksposeanexistentialthreatto
businessoperations
•Riskofintrusionanddatatheftbyhackersandfraudsters
•Potentialabuseofresourcesbyemployees
•Overlypermissionedusersdisruptsystems,eitherbyaccidentorbyintent.
Employee-facingapplications
Forexample:
•HRportals
•Filesystems
•Line-of-businessapps
INTRODUCTION
Cloudcomputingandinterconnectivityhave
changedITsecurityforever.Intheolddays,whenallyourserverslivedinyourowndatacentre
andeveryoneconnecteddirectlywithinyour
corporatenetwork,orviaVPN,youcouldrely
onyourcorporatefirewallasafixedperimeter
securitycontrol.Today,youremployees,partnersandcustomers—aswellasconnecteddevices
fromtheInternetofThings—couldbelogginginfromanylocation,viaanynetwork,toservices
hostedanywhere.
Keepingyourbusinesssafeinthesecomplex
hybrid,multi-cloud,hyper-connectedandhighly-
collaborativelandscapesisfarmorechallenging.
OrganisationsareincreasinglyrecognisingthattheonlywaytostaysecureinthisworldwhileprovidingafrictionlessuserexperienceisthroughaZero
Trustsecurityapproach,whichreplacesrelianceonlegacynetworksecuritycontrolswithanapproachwhereeveryaccessrequestisassessedonarich
contextualbasis.ThisZeroTrustArchitecturebecomesthenewperimeter.
ZeroTrustisnolongerjustabuzzword—it’snow
mandatedorrecommendedbygovernments
andindustrybodiesaroundtheworld.However,
weseethatasuccessfuladoptionofZeroTrust
principlessuchasthosedefinedinNIST-SP800-207
requirestheorchestrationofmultipleelements
thatcombinetoprovidepolicy-basedcontrolsthat
workacrossuserjourneysandchannels.Theseuser
journeysofteninvolvebothlegacyandmodern
systemsandservicesthatneedtoworktogether
seamlessly—andmanagingtheseinteractions
introducesnewproblems.
Thispaperexploresbestpracticesfororchestrating
theseinteroperatingelementsaspartofa
comprehensiveZeroTrustframework,addressing
thefollowingkeyquestions:
•WhatarethemarketchallengesthataredrivingorganisationstoimplementZeroTrust?
•WhatisaZeroTrustOrchestrationlayer,andwhyisitrequired?
•WheredoesanOrchestrationlayerdeliverthegreatestbenefits?
•HowareCapgeminiandPingIdentityhelpingorganisationsadoptZeroTrustOrchestration?
MARKETCHALLENGES
DRIVINGZEROTRUST
Wenowliveinaworldwhereemployeesexpecttobeabletoworkfromanywhereandlogintocorporateandpartnersystemsviaanydevice
onanyavailablenetworkconnection.The
challengefororganisationsistoopenupmorestreamlined,user-friendlyaccessforemployeesinthismodernenvironment,whilemaintaining
appropriatelevelsofsecuritytoprotectagainstincreasinglysophisticatedcyberthreats.
Meanwhile,customers(andregulators)are
increasinglyconcernedaboutdataprivacyand
theriskofidentitytheft,fraudandscams.
Customer-facingsystemswhichhavetraditionallybeendesignedtomaximiseuserconvenience
inasiloedwaymustnowfindwaystobolstersecurityandprotectcustomerdata,while
simultaneouslyimprovingtheuserexperience.
SecurityrisksUserexperiencerisks
•Complexregistrationprocess
discouragenewcustomersfromsigningup
•Difficultyloggingin
increasesriskofshoppingcartabandonment
•Personaldatausedinauthenticationraisesprivacyconcerns
•MutlipleloginsandlackofSSOresultinemployeeslockingthemselvesout
oftheirapplications,impactingproductivity
•Frequentlyre-enteringuserIDs,passwordsandOTPscreates
friction
Table1:DriversforZeroTrust
Balancingthecompetingdemandsofsecurityanduserexperienceforcustomersandemployeeshasbecomeincreasinglychallengingduetothelevelsofconnectivityandflexibilityrequiredbymodernuserjourneys.Aroutineuserjourney—suchas
acustomerorderingaproductoranemployee
creatingapurchaserequisition—nowoften
involvesinteractionsbetweendozensofservices,
fromlegacysystemshostedinthecompany’s
datacentretomicroservicesandthird-partySaaSapplicationsrunningacrossmultipleclouds.A
keydriverforaZeroTrustapproachisthatitcan
provideasolutiontothisdemandforbothsecurityanduserexperienceintoday’sopenenvironments,bytakingintoaccountthebroaderriskandcontextofthespecificaccessatanypointintime.
2|ZeroTrustOrchestration
ZeroTrustOrchestration|3
IDENTITY
DEVICES
NETWORKS
APPLICATION&
WORKLOADS
DATA
THEROLEOF
ZEROTRUST
ORCHESTRATION
AZeroTrustOrchestrationservicewithinaZero
TrustArchitectureprovidesapolicyandintegrationlayercapableofconnectingidentityelementsfrommanysystems,providingasinglepointofcontrol.
AnOrchestrationservicecancapturesignalsfromyourunderlyingapplicationsandinfrastructure
andpassthemtoacentralpolicyenginethat
drivessmart,real-timedecision-makingduring
complexuserjourneys.Andbest-practice
Orchestrationsolutions,suchasPingOneDaVinci,empoweryoutomapouttheseuserjourneysasseamlessflows,whiledefiningtheauthentication
andauthorisationrequirementsforeach
resourcebasedonappropriateriskmetrics.
AZeroTrustOrchestrationservicemakesitpossibletoimplementZeroTrustprinciples
quickly,effectively,andcost-efficiently—soyou
candesign,deployandevolveyouruserjourneys
seamlesslyinresponsetoemergingbusinessneeds.
VISIBILITYandANALYTICS
AUTOMATIONandORCHESTRATION
GOVERNANCE
WHYDOWENEED
ZEROTRUST
ORCHESTRATION?
Asdescribedabove,aZeroTrustapproachis
becomingtheonlyviablesolutionforeffectivelyprovidingaccessintheseextendedITecosystems.
However,implementingandmanaginga
comprehensiveZeroTrustframeworkcanbecomplex.
ThefundamentalprincipleoftheZeroTrustmodelisbasedontheassumptionofabreachandentailsameticulousexaminationofeachrequestasifit
wereoriginatingfromanentirelyuntrustedsource,suchastheunrestrictedinternet.Regardlessof
theoriginortheresourcebeingaccessed,theZeroTrustapproachmandatesa“nevertrust,always
verify”methodology.
Eachrequestmustprovidesufficientevidenceof
itslegitimacyasoriginatingfromanauthorized
userorapplication.Everyaccessrequestundergoescomprehensiveauthentication,authorization,
andencryptionbeforeandduringthesession.
Additionally,thelevelofverificationdeemed
“sufficient”mayvarydynamicallybasedoncontext,necessitatingadditionalsecuritymeasuresand/oraccessprivilegestobemodified.
EstablishingthecontextforZeroTrustverificationrequirestheorganisationtogatherinformation
fromanumberofdifferentsourceswhichare
potentiallyinterpretedbymutiplepolicyengines(or“signals”).AsZeroTrustimplementationsbecome
moresophisticatedandthenumberandtypeof
signalsincrease,aZeroTrustOrchestrationlayer
becomesvitaltointegratetheinformationfromall
thesesignals,makedynamicdecisionsonwhethertheaccessrequestalignswithsecuritypolicies,andtriggeranappropriateresponsefromthesecurity
toolingthatenforcesaccesscontrolacrossthe
technologystack.Itisthisabilitytotakesignals,
makesmartaccesscontroldecisionsbasedonthosesignalsandthenorchestratetheenforcementof
policythroughoutthetechnologystackthatformsthecoreofthetechnologyimplementationelementofaZeroTrustprogramme.
Figure2:ZeroTrustMaturityModelPillars,CISA
ZeroTrustMaturityModel,Version2.0,April2023.CISAdefineAutomationandOrchestrationasa
foundationalcross-cuttingcapabilityforZeroTrustArchitectures
4|ZeroTrustOrchestration
ZeroTrustOrchestration|5
Results
Accessdecisionsbasedonfully
orchestratedpoliciesactingon
comprehensivebest-of-breed
risksignals
ManagededgeZeroTrust
use-caseswiththebestvendors
forthetask
Deny
Approve
Policy-drivenOrchestration
Challenge
Obfuscate
ivani
Decisioning
Enforcement
6|ZeroTrustOrchestration
ZEROTRUST
ORCHESTRATION
USECASES
WenowseeZeroTrustOrchestrationasa
fundamentalcomponentwithinanyZeroTrustArchitecture.SomeusecaseswhereZeroTrustOrchestrationisparticularlybeneficialinclude:
Providingadaptivetrust
incomplexheterogeneous
environments
ZeroTrustOrchestrationcanhelpyougatherrisksignalsfromrightacrossyournetwork,including
variousriskandpolicyengines,andwidersecuritytoolingtofeedthemintoacentralOrchestrationpolicyenginethatcandeny,approve,logor
requestadditionalauthenticationforaccess
requestsatallrelevantstagesinyouruser
journeys.Moreover,aZeroTrustOrchestration
servicecanthenenableautomatedriskmitigationsbeyondAccessManagementsuchasfirewall
anddevicepatching,orremovalofaccessrightsthroughIGAintegration,proactivelypreventingincidentsandsavingtimeforyoursecurityteam.
Industry-leadingsolutionssuchasPingOne
DaVincialloworganisationstostreamlineand
simplifythisprocessbyincludingintegration
connectorstosecuritytoolslikeCrowdStrike,
OPSWAT,Splunk,InTune,JAMF,PingOneProtectandhundredsmore,alloutofthebox.
Providingadaptivetrustincomplexheterogeneousenvironments
DeviceUpdate
Available
SuspiciousOriginatingIPAddress
Suspicious
BrowserHistory
DeviceVulnerabilityDetected
Best-of-breedrisksignalsfrom
multiplevendorsources
Figure3:Feedbest-of-breedrisksignalsintoyourorchestrationpolicyengine
toensureappropriatedecisioning,enforcement,andremediation.
Rapiddevelopment
andintegration
Best-practiceZeroTrustOrchestrationservices
makeiteasytodevelopanddeploynewuser
journeysbyseamlesslyintegratingnewservicesandcomponentsintoauthenticationandauthorisationflows.Withalow-code,drag-and-dropinterface,
youcanquicklyextendyourZeroTrustlandscapetosecureadditionalsystemsandresources,andeasilyintroducenewidentity,securityandrisk
servicestogainevenrichercontexttoinformyourauthenticationandauthorisationpolicies.
Userjourneyoptimisation
ZeroTrustOrchestrationnotonlycreatesaunifiedpointofcontrolforyourZeroTrustarchitecture—
italsoprovidescentralisedvisibilityacross
youruserjourneys.ItenablesyoutointroducealternativeflowsandperformA/Btestingto
determineoptimalriskthresholds.Thisgives
theinsightneededtoaddorreducefriction
atappropriatestagesineachuserjourneyto
ensurepolicycomplianceandmaintainsecuritywhilealsodeliveringabetteruserexperience.
ZeroTrustOrchestration|7
Casestudy:Electricity
SystemsOperator
Capgeminihelpedamajornationalenergynetworkoperatorunifycustomerjourneysacrossavarietyofmodernandlegacyapplicationsformorethan
10,000userswithaZeroTrustsinglesign-on
(SSO)solution.UsingPingOneDaVinci,theteamorchestratedkeycustomerjourneysincluding
authentication,registration,socialloginand
self-service—simplifyingidentitymanagement,
strengtheningsecurity,improvinguserexperience,andsavingtimefortheITservicedesk.
Casestudy:PharmaceuticalCompany
Capgeminienabledalargemultinational
pharmaceuticalcompanytomoderniseitsdigitallandscapebycreatingaZeroTrustsecurity
frameworkformorethan20,000employeesacrossmorethan150globallocations.Thesolution
significantlyimprovestheuserexperienceandsimplifiesthetechnicalinfrastructure,aswellasoptimisingcapitalandoperationalexpenditureandstreamliningtheintegrationofnewmergersandacquisitions.
NEXTSTEPS
TolearnmoreabouthowCapgeminiandPingIdentitycanhelpyourorganisationembraceZeroTrustOrchestrationtoprovideyourcustomersandemployeeswithreducedfrictionuserexperiences,withoutcompromisingonsecurity,reachouttoustoday.
AUTHORS
AndrewCritchley
GlobalHeadofIAMCapability
Capgemini
Andrew.critchley@
RobOtto
FieldCTO/PrincipalSolutionsArchitect
PingIdentity
Robotto@
ZeroTrustOrchestration|9
TAKINGZEROTRUST
FROMTHEORY
TOPRACTICE
TomaketheshifttoaZeroTrustArchitecture,it
helpsifyoucancallontheexperts.CapgeminihasoneofthelargestIdentityandAccessManagement(IAM)practicesintheworld,withover1,000
consultantswhohavedeliveredmorethan200majorIAMprojectsinthelastfiveyearsalone.
Basedonitslong-establishedPingIdentitytrackrecordandnumberofcertifiedstaff,CapgeminiisalsoaPingDeliveryApprovedElitePartner.
AndCapgeminihasrecentlytransformedits
owninternalITsecuritymodeltoembraceZeroTrustprinciples,usingPingIdentityextensivelywithintheZeroTrustIdentitytowerandfor
IdentityOrchestration.
CapgeminiisnowprovidingIdentityandZeroTrustservicestoourclients,builtaroundfourkeypillars:
•Assess:measurethematurityofyour
organisation’sapproachtoimplementingZeroTrustinalignmentwiththeindustry-standardmaturitymodeldevelopedbyCISA.
•Advise:adviseonallelementsofZeroTrust,fromgovernance,operatingmodels,andprinciples
throughtoarchitectureanddesign–ZeroTrustisnotsimplyamatteroftechnology.
•Implement:workwithyoutoimplementsecureZeroTrustenvironments,governance,and
operationalservices.
•Operate:manageZeroTrusttechnologiesfromsecurelocationsacrosstheglobe,providingfullsecuritymonitoringandresponse24x7.
TogetherwithPingIdentity,CapgeminicanworkwithyoutohelpstartoraccelerateyourZeroTrustjourney–usingourknowledgeofallareasofZeroTrustincludingZeroTrustOrchestrationtomakethisareality.
8|ZeroTrustOrchestration
ZEROTRUST
ORCHESTRATION
SOLUTIONS–
PINGONEDAVINCI
HavingimplementedPingOneDaVinciwithmultiple
clients,CapgeminiseesPingOneDaVinciasabest-practicesolutionforZeroTrustOrchestration
inIdentity.AparticularstrongpointofPingOne
DaVinciisthatithasallowedustobuildidentityflowsusingitshighlyvisual,drag-and-drop
interface,withoutneedingtowriteasinglelineofcode.Thissimplifiesandacceleratestheprocessofcreating,updating,testinganddeployinguserjourneysthatoptimisesecuritywhileminimisingfrictionforend-users.
Furthermore,PingOneDaVinciiscompletely
vendor-agnosticandintegrateseasilywiththird-partyservices.ThismakesitparticularlysuitablefororganisationsthatwanttobuildaZeroTrustOrchestrationlayerontopoftheirexistinglegacyidentity
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年甘肃交通职业技术学院单招职业技能测试题库完美版
- 2025年度学生安全教育与心理健康维护合同
- 2025年度劳动合同解除补偿协议及员工福利待遇保障书
- 2025年度保险公司与国有企业单位全面合作协议
- 2025年度房屋租赁合同订金及配套设施使用协议
- 2025年度摩托车进出口代理业务合同
- 2025年度公司股东内部关于股权结构优化与分配的协议书
- 2025年度委托招聘合同-行业领军人才合作项目
- 2025年度员工向公司借款合同变更通知合同
- 2025年度工程车辆司机劳务派遣合同
- 2025上海市嘉定工业区农村青年干部招聘22人历年高频重点提升(共500题)附带答案详解
- 《兽医基础》练习题及参考答案
- 2025年煤矿探放水证考试题库
- 农业机械设备运输及调试方案
- 污水处理设备的故障处理指南考核试卷
- ps 课件教学课件
- 神经外科患者早期康复护理
- 2025届浙江省宁波市镇海区镇海中学高二物理第一学期期末考试试题含解析
- 口腔颌面部发育(口腔组织病理学课件)
- 机房设备搬迁及系统割接施工方案
- GB/T 44549-2024高温条件下陶瓷材料界面黏结强度试验方法
评论
0/150
提交评论